Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
DHL DELIVERY NOTIFICATIONS_PDF.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DHL DELIVERY NOTIFICATIONS_PDF.exe
Resource
win10v2004-20240508-en
General
-
Target
DHL DELIVERY NOTIFICATIONS_PDF.exe
-
Size
1.2MB
-
MD5
db6402598c61afc744302ddee3709138
-
SHA1
19b9742924e8d6d648fb9a83cf51302a5558b4bb
-
SHA256
525fb87d7847f492ee968f742edba531d80ea6c877afe7e0b8e36a69203a1df3
-
SHA512
5e3085aef1725770ca24d484025dac7d0136b6c61f819a9a1bf794a4b76e2f405480e66a0ca416dee12ceb90ba481030ce0b3f83c6f07bd07e5e7224d6ac988d
-
SSDEEP
12288:FZGWfYACds2n3WLm7rT6mHgTBBEYKRCaavcf0C90ebshTd+doVDTniKmxCyWrDwT:LmPdsKPHwBDKnaC9kDifxEPXWxDCST
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2556-7-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2556-9-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2556-11-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2556-13-0x0000000000FA0000-0x0000000001016000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2556-13-0x0000000000FA0000-0x0000000001016000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral1/memory/2556-13-0x0000000000FA0000-0x0000000001016000-memory.dmp Nirsoft -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1964 set thread context of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe Token: SeDebugPrivilege 2556 DHL DELIVERY NOTIFICATIONS_PDF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28 PID 1964 wrote to memory of 2556 1964 DHL DELIVERY NOTIFICATIONS_PDF.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL DELIVERY NOTIFICATIONS_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL DELIVERY NOTIFICATIONS_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\DHL DELIVERY NOTIFICATIONS_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL DELIVERY NOTIFICATIONS_PDF.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556
-